1*f23ec8efSbeck /* $OpenBSD: verifytest.c,v 1.8 2023/05/28 09:02:01 beck Exp $ */
2d49505fbSjsing /*
3d49505fbSjsing * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4d49505fbSjsing *
5d49505fbSjsing * Permission to use, copy, modify, and distribute this software for any
6d49505fbSjsing * purpose with or without fee is hereby granted, provided that the above
7d49505fbSjsing * copyright notice and this permission notice appear in all copies.
8d49505fbSjsing *
9d49505fbSjsing * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10d49505fbSjsing * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11d49505fbSjsing * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12d49505fbSjsing * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13d49505fbSjsing * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14d49505fbSjsing * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15d49505fbSjsing * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16d49505fbSjsing */
17d49505fbSjsing
18d49505fbSjsing #include <err.h>
19d49505fbSjsing #include <stdio.h>
20d49505fbSjsing #include <stdlib.h>
21d49505fbSjsing
22d49505fbSjsing #include <openssl/x509v3.h>
239a94eeb1Sbcook #include <tls.h>
24d49505fbSjsing
2566b91627Sjsing extern int tls_check_name(struct tls *ctx, X509 *cert, const char *name,
2666b91627Sjsing int *match);
2766b91627Sjsing
2866b91627Sjsing struct alt_name {
2966b91627Sjsing const char name[128];
3066b91627Sjsing int name_len;
3166b91627Sjsing int name_type;
3266b91627Sjsing };
33d49505fbSjsing
34d49505fbSjsing struct verify_test {
35d49505fbSjsing const char common_name[128];
3666b91627Sjsing int common_name_len;
3766b91627Sjsing struct alt_name alt_name1;
3866b91627Sjsing struct alt_name alt_name2;
3966b91627Sjsing struct alt_name alt_name3;
4087e8bad1Sbeck const char name[128];
4166b91627Sjsing int want_return;
4266b91627Sjsing int want_match;
43*f23ec8efSbeck int name_type;
44d49505fbSjsing };
45d49505fbSjsing
46d49505fbSjsing struct verify_test verify_tests[] = {
47d49505fbSjsing {
4866b91627Sjsing /* CN without SANs - matching. */
49d49505fbSjsing .common_name = "www.openbsd.org",
5066b91627Sjsing .common_name_len = -1,
5187e8bad1Sbeck .name = "www.openbsd.org",
5266b91627Sjsing .want_return = 0,
5366b91627Sjsing .want_match = 1,
54d49505fbSjsing },
55d49505fbSjsing {
5666b91627Sjsing /* Zero length name - non-matching. */
57d49505fbSjsing .common_name = "www.openbsd.org",
5866b91627Sjsing .common_name_len = -1,
5987e8bad1Sbeck .name = "",
6066b91627Sjsing .want_return = 0,
6166b91627Sjsing .want_match = 0,
62d49505fbSjsing },
63d49505fbSjsing {
6466b91627Sjsing /* CN wildcard without SANs - matching. */
65d49505fbSjsing .common_name = "*.openbsd.org",
6666b91627Sjsing .common_name_len = -1,
6787e8bad1Sbeck .name = "www.openbsd.org",
6866b91627Sjsing .want_return = 0,
6966b91627Sjsing .want_match = 1,
70d49505fbSjsing },
71d49505fbSjsing {
7266b91627Sjsing /* CN without SANs - non-matching. */
73d49505fbSjsing .common_name = "www.openbsdfoundation.org",
7466b91627Sjsing .common_name_len = -1,
7587e8bad1Sbeck .name = "www.openbsd.org",
7666b91627Sjsing .want_return = 0,
7766b91627Sjsing .want_match = 0,
78d49505fbSjsing },
79d49505fbSjsing {
8066b91627Sjsing /* CN wildcard without SANs - invalid CN wildcard. */
81d49505fbSjsing .common_name = "w*.openbsd.org",
8266b91627Sjsing .common_name_len = -1,
8387e8bad1Sbeck .name = "www.openbsd.org",
8466b91627Sjsing .want_return = 0,
8566b91627Sjsing .want_match = 0,
86d49505fbSjsing },
87d49505fbSjsing {
8866b91627Sjsing /* CN wildcard without SANs - invalid CN wildcard. */
89d49505fbSjsing .common_name = "www.*.org",
9066b91627Sjsing .common_name_len = -1,
9187e8bad1Sbeck .name = "www.openbsd.org",
9266b91627Sjsing .want_return = 0,
9366b91627Sjsing .want_match = 0,
94d49505fbSjsing },
95d49505fbSjsing {
9666b91627Sjsing /* CN wildcard without SANs - invalid CN wildcard. */
97d49505fbSjsing .common_name = "www.openbsd.*",
9866b91627Sjsing .common_name_len = -1,
9987e8bad1Sbeck .name = "www.openbsd.org",
10066b91627Sjsing .want_return = 0,
10166b91627Sjsing .want_match = 0,
102d49505fbSjsing },
103d49505fbSjsing {
10466b91627Sjsing /* CN wildcard without SANs - invalid CN wildcard. */
105d49505fbSjsing .common_name = "*",
10666b91627Sjsing .common_name_len = -1,
10787e8bad1Sbeck .name = "www.openbsd.org",
10866b91627Sjsing .want_return = 0,
10966b91627Sjsing .want_match = 0,
110d49505fbSjsing },
111d49505fbSjsing {
11266b91627Sjsing /* CN wildcard without SANs - invalid CN wildcard. */
113d49505fbSjsing .common_name = "*.org",
11466b91627Sjsing .common_name_len = -1,
11587e8bad1Sbeck .name = "www.openbsd.org",
11666b91627Sjsing .want_return = 0,
11766b91627Sjsing .want_match = 0,
118d49505fbSjsing },
119d49505fbSjsing {
12066b91627Sjsing /* CN wildcard without SANs - invalid CN wildcard. */
121d49505fbSjsing .common_name = "*.org",
12266b91627Sjsing .common_name_len = -1,
12387e8bad1Sbeck .name = "openbsd.org",
12466b91627Sjsing .want_return = 0,
12566b91627Sjsing .want_match = 0,
126d49505fbSjsing },
127d49505fbSjsing {
12866b91627Sjsing /* CN IPv4 without SANs - matching. */
129d49505fbSjsing .common_name = "1.2.3.4",
13066b91627Sjsing .common_name_len = -1,
13187e8bad1Sbeck .name = "1.2.3.4",
13266b91627Sjsing .want_return = 0,
13366b91627Sjsing .want_match = 1,
134d49505fbSjsing },
135d49505fbSjsing {
13666b91627Sjsing /* CN IPv4 wildcard without SANS - invalid IP wildcard. */
137d49505fbSjsing .common_name = "*.2.3.4",
13866b91627Sjsing .common_name_len = -1,
13987e8bad1Sbeck .name = "1.2.3.4",
14066b91627Sjsing .want_return = 0,
14166b91627Sjsing .want_match = 0,
142d49505fbSjsing },
143d49505fbSjsing {
14466b91627Sjsing /* CN IPv6 without SANs - matching. */
145d49505fbSjsing .common_name = "cafe::beef",
14666b91627Sjsing .common_name_len = -1,
14787e8bad1Sbeck .name = "cafe::beef",
14866b91627Sjsing .want_return = 0,
14966b91627Sjsing .want_match = 1,
150d49505fbSjsing },
151d49505fbSjsing {
15266b91627Sjsing /* CN without SANs - error due to embedded NUL in CN. */
15366b91627Sjsing .common_name = {
15466b91627Sjsing 0x77, 0x77, 0x77, 0x2e, 0x6f, 0x70, 0x65, 0x6e,
15566b91627Sjsing 0x62, 0x73, 0x64, 0x2e, 0x6f, 0x72, 0x67, 0x00,
15666b91627Sjsing 0x6e, 0x61, 0x73, 0x74, 0x79, 0x2e, 0x6f, 0x72,
15766b91627Sjsing 0x67,
15866b91627Sjsing },
15966b91627Sjsing .common_name_len = 25,
16066b91627Sjsing .name = "www.openbsd.org",
16166b91627Sjsing .want_return = -1,
16266b91627Sjsing .want_match = 0,
16366b91627Sjsing },
16466b91627Sjsing {
16566b91627Sjsing /* CN wildcard without SANs - invalid non-matching name. */
16666b91627Sjsing .common_name = "*.openbsd.org",
16766b91627Sjsing .common_name_len = -1,
16866b91627Sjsing .name = ".openbsd.org",
16966b91627Sjsing .want_return = 0,
17066b91627Sjsing .want_match = 0,
17166b91627Sjsing },
17266b91627Sjsing {
17366b91627Sjsing /* CN with SANs - matching on first SAN. */
174d49505fbSjsing .common_name = "www.openbsd.org",
17566b91627Sjsing .common_name_len = -1,
17666b91627Sjsing .alt_name1 = {
17766b91627Sjsing .name = "www.openbsd.org",
17866b91627Sjsing .name_len = -1,
17966b91627Sjsing .name_type = GEN_DNS,
18066b91627Sjsing },
18166b91627Sjsing .alt_name2 = {
18287e8bad1Sbeck .name = "ftp.openbsd.org",
18366b91627Sjsing .name_len = -1,
18466b91627Sjsing .name_type = GEN_DNS,
185d49505fbSjsing },
18687e8bad1Sbeck .name = "www.openbsd.org",
18766b91627Sjsing .want_return = 0,
18866b91627Sjsing .want_match = 1,
189d49505fbSjsing },
190d49505fbSjsing {
19166b91627Sjsing /* SANs only - matching on first SAN. */
19266b91627Sjsing .common_name_len = 0,
19366b91627Sjsing .alt_name1 = {
19487e8bad1Sbeck .name = "www.openbsd.org",
19566b91627Sjsing .name_len = -1,
19666b91627Sjsing .name_type = GEN_DNS,
19766b91627Sjsing },
19866b91627Sjsing .alt_name2 = {
19966b91627Sjsing .name = "ftp.openbsd.org",
20066b91627Sjsing .name_len = -1,
20166b91627Sjsing .name_type = GEN_DNS,
20266b91627Sjsing },
20366b91627Sjsing .name = "www.openbsd.org",
20466b91627Sjsing .want_return = 0,
20566b91627Sjsing .want_match = 1,
206d49505fbSjsing },
207d49505fbSjsing {
20866b91627Sjsing /* SANs only - matching on second SAN. */
20966b91627Sjsing .common_name_len = 0,
21066b91627Sjsing .alt_name1 = {
21166b91627Sjsing .name = "www.openbsd.org",
21266b91627Sjsing .name_len = -1,
21366b91627Sjsing .name_type = GEN_DNS,
21466b91627Sjsing },
21566b91627Sjsing .alt_name2 = {
21666b91627Sjsing .name = "ftp.openbsd.org",
21766b91627Sjsing .name_len = -1,
21866b91627Sjsing .name_type = GEN_DNS,
21966b91627Sjsing },
22066b91627Sjsing .name = "ftp.openbsd.org",
22166b91627Sjsing .want_return = 0,
22266b91627Sjsing .want_match = 1,
22366b91627Sjsing },
22466b91627Sjsing {
22566b91627Sjsing /* SANs only - non-matching. */
22666b91627Sjsing .common_name_len = 0,
22766b91627Sjsing .alt_name1 = {
22866b91627Sjsing .name = "www.openbsd.org",
22966b91627Sjsing .name_len = -1,
23066b91627Sjsing .name_type = GEN_DNS,
23166b91627Sjsing },
23266b91627Sjsing .alt_name2 = {
23366b91627Sjsing .name = "ftp.openbsd.org",
23466b91627Sjsing .name_len = -1,
23566b91627Sjsing .name_type = GEN_DNS,
23666b91627Sjsing },
23766b91627Sjsing .name = "mail.openbsd.org",
23866b91627Sjsing .want_return = 0,
23966b91627Sjsing .want_match = 0,
24066b91627Sjsing },
24166b91627Sjsing {
24266b91627Sjsing /* CN with SANs - matching on second SAN. */
243d49505fbSjsing .common_name = "www.openbsd.org",
24466b91627Sjsing .common_name_len = -1,
24566b91627Sjsing .alt_name1 = {
24666b91627Sjsing .name = "www.openbsd.org",
24766b91627Sjsing .name_len = -1,
24866b91627Sjsing .name_type = GEN_DNS,
24966b91627Sjsing },
25066b91627Sjsing .alt_name2 = {
25166b91627Sjsing .name = "ftp.openbsd.org",
25266b91627Sjsing .name_len = -1,
25366b91627Sjsing .name_type = GEN_DNS,
25466b91627Sjsing },
25566b91627Sjsing .name = "ftp.openbsd.org",
25666b91627Sjsing .want_return = 0,
25766b91627Sjsing .want_match = 1,
25866b91627Sjsing },
25966b91627Sjsing {
26066b91627Sjsing /* CN with SANs - matching on wildcard second SAN. */
26166b91627Sjsing .common_name = "www.openbsdfoundation.org",
26266b91627Sjsing .common_name_len = -1,
26366b91627Sjsing .alt_name1 = {
26466b91627Sjsing .name = "www.openbsdfoundation.org",
26566b91627Sjsing .name_len = -1,
26666b91627Sjsing .name_type = GEN_DNS,
26766b91627Sjsing },
26866b91627Sjsing .alt_name2 = {
26966b91627Sjsing .name = "*.openbsd.org",
27066b91627Sjsing .name_len = -1,
27166b91627Sjsing .name_type = GEN_DNS,
27266b91627Sjsing },
27366b91627Sjsing .name = "www.openbsd.org",
27466b91627Sjsing .want_return = 0,
27566b91627Sjsing .want_match = 1,
27666b91627Sjsing },
27766b91627Sjsing {
27866b91627Sjsing /* CN with SANs - non-matching invalid wildcard. */
27966b91627Sjsing .common_name = "www.openbsdfoundation.org",
28066b91627Sjsing .common_name_len = -1,
28166b91627Sjsing .alt_name1 = {
28266b91627Sjsing .name = "www.openbsdfoundation.org",
28366b91627Sjsing .name_len = -1,
28466b91627Sjsing .name_type = GEN_DNS,
28566b91627Sjsing },
28666b91627Sjsing .alt_name2 = {
28766b91627Sjsing .name = "*.org",
28866b91627Sjsing .name_len = -1,
28966b91627Sjsing .name_type = GEN_DNS,
29066b91627Sjsing },
29166b91627Sjsing .name = "www.openbsd.org",
29266b91627Sjsing .want_return = 0,
29366b91627Sjsing .want_match = 0,
29466b91627Sjsing },
29566b91627Sjsing {
29666b91627Sjsing /* CN with SANs - non-matching IPv4 due to GEN_DNS SAN. */
29766b91627Sjsing .common_name = "www.openbsd.org",
29866b91627Sjsing .common_name_len = -1,
29966b91627Sjsing .alt_name1 = {
30066b91627Sjsing .name = "www.openbsd.org",
30166b91627Sjsing .name_len = -1,
30266b91627Sjsing .name_type = GEN_DNS,
30366b91627Sjsing },
30466b91627Sjsing .alt_name2 = {
30587e8bad1Sbeck .name = "1.2.3.4",
30666b91627Sjsing .name_len = -1,
30766b91627Sjsing .name_type = GEN_DNS,
308d49505fbSjsing },
30987e8bad1Sbeck .name = "1.2.3.4",
31066b91627Sjsing .want_return = 0,
31166b91627Sjsing .want_match = 0,
312d49505fbSjsing },
313d49505fbSjsing {
31466b91627Sjsing /* CN with SANs - matching IPv4 on GEN_IPADD SAN. */
315d49505fbSjsing .common_name = "www.openbsd.org",
31666b91627Sjsing .common_name_len = -1,
31766b91627Sjsing .alt_name1 = {
31866b91627Sjsing .name = "www.openbsd.org",
31966b91627Sjsing .name_len = -1,
32066b91627Sjsing .name_type = GEN_DNS,
32166b91627Sjsing },
32266b91627Sjsing .alt_name2 = {
32366b91627Sjsing .name = {0x01, 0x02, 0x03, 0x04},
32466b91627Sjsing .name_len = 4,
32566b91627Sjsing .name_type = GEN_IPADD,
32666b91627Sjsing },
32766b91627Sjsing .name = "1.2.3.4",
32866b91627Sjsing .want_return = 0,
32966b91627Sjsing .want_match = 1,
33066b91627Sjsing },
33166b91627Sjsing {
33266b91627Sjsing /* CN with SANs - matching IPv6 on GEN_IPADD SAN. */
33366b91627Sjsing .common_name = "www.openbsd.org",
33466b91627Sjsing .common_name_len = -1,
33566b91627Sjsing .alt_name1 = {
33666b91627Sjsing .name = "www.openbsd.org",
33766b91627Sjsing .name_len = -1,
33866b91627Sjsing .name_type = GEN_DNS,
33966b91627Sjsing },
34066b91627Sjsing .alt_name2 = {
34166b91627Sjsing .name = {
342d49505fbSjsing 0xca, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
343d49505fbSjsing 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbe, 0xef,
344d49505fbSjsing },
34566b91627Sjsing .name_len = 16,
34666b91627Sjsing .name_type = GEN_IPADD,
34766b91627Sjsing },
34887e8bad1Sbeck .name = "cafe::beef",
34966b91627Sjsing .want_return = 0,
35066b91627Sjsing .want_match = 1,
351d49505fbSjsing },
352c9e28b3aSbeck {
35366b91627Sjsing /* CN with SANs - error due to embedded NUL in GEN_DNS. */
35466b91627Sjsing .common_name = "www.openbsd.org.nasty.org",
35566b91627Sjsing .common_name_len = -1,
35666b91627Sjsing .alt_name1 = {
35766b91627Sjsing .name = "www.openbsd.org.nasty.org",
35866b91627Sjsing .name_len = -1,
35966b91627Sjsing .name_type = GEN_DNS,
36066b91627Sjsing },
36166b91627Sjsing .alt_name2 = {
36266b91627Sjsing .name = {
36366b91627Sjsing 0x77, 0x77, 0x77, 0x2e, 0x6f, 0x70, 0x65, 0x6e,
36466b91627Sjsing 0x62, 0x73, 0x64, 0x2e, 0x6f, 0x72, 0x67, 0x00,
36566b91627Sjsing 0x6e, 0x61, 0x73, 0x74, 0x79, 0x2e, 0x6f, 0x72,
36666b91627Sjsing 0x67,
36766b91627Sjsing },
36866b91627Sjsing .name_len = 25,
36966b91627Sjsing .name_type = GEN_DNS,
37066b91627Sjsing },
37166b91627Sjsing .name = "www.openbsd.org",
37266b91627Sjsing .want_return = -1,
37366b91627Sjsing .want_match = 0,
37466b91627Sjsing },
37566b91627Sjsing {
37666b91627Sjsing /* CN with SAN - non-matching due to non-matching SAN. */
37766b91627Sjsing .common_name = "www.openbsd.org",
37866b91627Sjsing .common_name_len = -1,
37966b91627Sjsing .alt_name1 = {
38066b91627Sjsing .name = "ftp.openbsd.org",
38166b91627Sjsing .name_len = -1,
38266b91627Sjsing .name_type = GEN_DNS,
38366b91627Sjsing },
38466b91627Sjsing .name = "www.openbsd.org",
38566b91627Sjsing .want_return = 0,
38666b91627Sjsing .want_match = 0,
38766b91627Sjsing },
38866b91627Sjsing {
38966b91627Sjsing /* CN with SAN - error due to illegal dNSName. */
39066b91627Sjsing .common_name = "www.openbsd.org",
39166b91627Sjsing .common_name_len = -1,
39266b91627Sjsing .alt_name1 = {
39366b91627Sjsing .name = " ",
39466b91627Sjsing .name_len = -1,
39566b91627Sjsing .name_type = GEN_DNS,
39666b91627Sjsing },
39766b91627Sjsing .name = "www.openbsd.org",
39866b91627Sjsing .want_return = -1,
39966b91627Sjsing .want_match = 0,
400c9e28b3aSbeck },
401d49505fbSjsing };
402d49505fbSjsing
403d49505fbSjsing #define N_VERIFY_TESTS \
404d49505fbSjsing (sizeof(verify_tests) / sizeof(*verify_tests))
405d49505fbSjsing
40666b91627Sjsing static void
alt_names_add(STACK_OF (GENERAL_NAME)* alt_name_stack,struct alt_name * alt)40766b91627Sjsing alt_names_add(STACK_OF(GENERAL_NAME) *alt_name_stack, struct alt_name *alt)
408d49505fbSjsing {
409d49505fbSjsing ASN1_STRING *alt_name_str;
410d49505fbSjsing GENERAL_NAME *alt_name;
411d49505fbSjsing
412d49505fbSjsing if ((alt_name = GENERAL_NAME_new()) == NULL)
413d49505fbSjsing errx(1, "failed to malloc GENERAL_NAME");
41466b91627Sjsing alt_name->type = alt->name_type;
415d49505fbSjsing
416d49505fbSjsing if ((alt_name_str = ASN1_STRING_new()) == NULL)
417d49505fbSjsing errx(1, "failed to malloc alt name");
41866b91627Sjsing if (ASN1_STRING_set(alt_name_str, alt->name, alt->name_len) == 0)
419d49505fbSjsing errx(1, "failed to set alt name");
420d49505fbSjsing
421d49505fbSjsing switch (alt_name->type) {
422d49505fbSjsing case GEN_DNS:
423d49505fbSjsing alt_name->d.dNSName = alt_name_str;
424d49505fbSjsing break;
425d49505fbSjsing case GEN_IPADD:
426d49505fbSjsing alt_name->d.iPAddress = alt_name_str;
427d49505fbSjsing break;
428d49505fbSjsing default:
429d49505fbSjsing errx(1, "unknown alt name type (%i)", alt_name->type);
430d49505fbSjsing }
431d49505fbSjsing
432d49505fbSjsing if (sk_GENERAL_NAME_push(alt_name_stack, alt_name) == 0)
433d49505fbSjsing errx(1, "failed to push alt_name");
43466b91627Sjsing }
43566b91627Sjsing
43666b91627Sjsing static void
cert_add_alt_names(X509 * cert,struct verify_test * vt)43766b91627Sjsing cert_add_alt_names(X509 *cert, struct verify_test *vt)
43866b91627Sjsing {
43966b91627Sjsing STACK_OF(GENERAL_NAME) *alt_name_stack = NULL;
44066b91627Sjsing
44166b91627Sjsing if (vt->alt_name1.name_type == 0)
44266b91627Sjsing return;
44366b91627Sjsing
44466b91627Sjsing if ((alt_name_stack = sk_GENERAL_NAME_new_null()) == NULL)
44566b91627Sjsing errx(1, "failed to malloc sk_GENERAL_NAME");
44666b91627Sjsing
44766b91627Sjsing if (vt->alt_name1.name_type != 0)
44866b91627Sjsing alt_names_add(alt_name_stack, &vt->alt_name1);
44966b91627Sjsing if (vt->alt_name2.name_type != 0)
45066b91627Sjsing alt_names_add(alt_name_stack, &vt->alt_name2);
45166b91627Sjsing if (vt->alt_name3.name_type != 0)
45266b91627Sjsing alt_names_add(alt_name_stack, &vt->alt_name3);
45366b91627Sjsing
454d49505fbSjsing if (X509_add1_ext_i2d(cert, NID_subject_alt_name,
455d49505fbSjsing alt_name_stack, 0, 0) == 0)
456d49505fbSjsing errx(1, "failed to set subject alt name");
45766b91627Sjsing
458d49505fbSjsing sk_GENERAL_NAME_pop_free(alt_name_stack, GENERAL_NAME_free);
459d49505fbSjsing }
460d49505fbSjsing
46166b91627Sjsing static int
do_verify_test(int test_no,struct verify_test * vt)46266b91627Sjsing do_verify_test(int test_no, struct verify_test *vt)
46366b91627Sjsing {
46466b91627Sjsing struct tls *tls;
46566b91627Sjsing X509_NAME *name;
46666b91627Sjsing X509 *cert;
46766b91627Sjsing int failed = 1;
46866b91627Sjsing int match;
46966b91627Sjsing
47066b91627Sjsing /* Build certificate structure. */
47166b91627Sjsing if ((cert = X509_new()) == NULL)
47266b91627Sjsing errx(1, "failed to malloc X509");
47366b91627Sjsing
47466b91627Sjsing if (vt->common_name_len != 0) {
47566b91627Sjsing if ((name = X509_NAME_new()) == NULL)
47666b91627Sjsing errx(1, "failed to malloc X509_NAME");
47766b91627Sjsing if (X509_NAME_add_entry_by_NID(name, NID_commonName,
478*f23ec8efSbeck vt->name_type ? vt->name_type : MBSTRING_ASC,
479*f23ec8efSbeck (unsigned char *)vt->common_name,
48066b91627Sjsing vt->common_name_len, -1, 0) == 0)
48166b91627Sjsing errx(1, "failed to add name entry");
48266b91627Sjsing if (X509_set_subject_name(cert, name) == 0)
48366b91627Sjsing errx(1, "failed to set subject name");
48466b91627Sjsing X509_NAME_free(name);
485d49505fbSjsing }
486d49505fbSjsing
48766b91627Sjsing if ((tls = tls_client()) == NULL)
48866b91627Sjsing errx(1, "failed to malloc tls_client");
48966b91627Sjsing
49066b91627Sjsing cert_add_alt_names(cert, vt);
49166b91627Sjsing
49266b91627Sjsing match = 1;
49366b91627Sjsing
49466b91627Sjsing if (tls_check_name(tls, cert, vt->name, &match) != vt->want_return) {
49566b91627Sjsing fprintf(stderr, "FAIL: test %i failed for check name '%s': "
49666b91627Sjsing "%s\n", test_no, vt->name, tls_error(tls));
49766b91627Sjsing goto done;
49866b91627Sjsing }
49966b91627Sjsing if (match != vt->want_match) {
50066b91627Sjsing fprintf(stderr, "FAIL: test %i failed to match name '%s'\n",
50166b91627Sjsing test_no, vt->name);
50266b91627Sjsing goto done;
50366b91627Sjsing }
50466b91627Sjsing
50566b91627Sjsing failed = 0;
50666b91627Sjsing
50766b91627Sjsing done:
508d49505fbSjsing X509_free(cert);
509ff3fecbbSjsing tls_free(tls);
510d49505fbSjsing
51166b91627Sjsing return (failed);
512d49505fbSjsing }
513d49505fbSjsing
514d49505fbSjsing int
main(int argc,char ** argv)515d49505fbSjsing main(int argc, char **argv)
516d49505fbSjsing {
517d49505fbSjsing int failed = 0;
518d49505fbSjsing size_t i;
519d49505fbSjsing
520ff3fecbbSjsing tls_init();
521ff3fecbbSjsing
522d49505fbSjsing for (i = 0; i < N_VERIFY_TESTS; i++)
523d49505fbSjsing failed += do_verify_test(i, &verify_tests[i]);
524d49505fbSjsing
525d49505fbSjsing return (failed);
526d49505fbSjsing }
527